CVE-2021-32717

Private files publicly accessible with Cloud Storage providers

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command `./bin/console s3:set-visibility` to correct your cloud file visibilities.

Shopware es una plataforma de comercio electrónico de código abierto. En versiones anteriores a 6.4.1.1 los archivos privados son accesibles públicamente con los proveedores de almacenamiento en la nube cuando se conoce la URL con hash. Se recomienda a usuarios que primero cambien su configuración para ajustar la visibilidad correcta de acuerdo con la documentación. La visibilidad debe estar al mismo nivel que "type". Cuando el Almacenamiento es guardado en Amazon AWS recomendamos deshabilitar el acceso público al bucket que contiene los archivos privados: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. En caso contrario, actualice a Shopware versión 6.4.1.1 o instale o actualice el plugin de seguridad (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) y ejecute el comando "./bin/console s3:set-visibility" para corregir la visibilidad de sus archivos en la nube

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-12 CVE Reserved
2021-06-24 CVE Published
2024-03-09 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (3)

URL	Tag	Source
https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021	2022-10-25
https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3	2022-10-25

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Shopware Search vendor "Shopware"		Shopware Search vendor "Shopware" for product "Shopware"				>= 6.1.0 < 6.4.1.1 Search vendor "Shopware" for product "Shopware" and version " >= 6.1.0 < 6.4.1.1"		-		Affected